tremor77 wrote:I do find in my workplace, as we strictly enforce a secure password policy.. 9/10 users have their password written down, many in plain site.. because.. the average user is blatantly lazy. Yellow sticky note on the monitor. My boss.. feels he is clever, his is under the keyboard.

I feel your pain on this one. We have a similar setup in my workplace. Passwords must be of length 8+ with variations of alpha-numeric and punctuation characters. But, as you so aptly put it, the average user is blatantly lazy, and so rather than memorise passwords that are harder to remember than 'my dog's name and my year of birth added to the end', those unaware of the necessity of password security have taken it upon themselves to pool their passwords (just incase personX is off is the logic...apparently) in a discretely hidden notepad... a copy of which resides on each persons desk, and often finds its way into their bags / other carrying medium at the end of the day.

Bearing in mind that we use 'forename.surname' as our userid syntax and each standard user has the ability to charge transactions to the company account and most PCs have RDP enabled.

Sorry to take this a little off-topic, but my point here being, that no amount of password strength, password or passphrase will matter when this kind of thing happens.

For a user other that you or I, a password will always be something extremely simple, such as M0onUn1t or equivelant. I wrote a program to randomly generate my password so it uses every key on my laptop keyboard, and made it 16 characters. I calculated that with 86 keys and 16 characters, 8953136790196197357146289012736 tries are necessary to break it (or 2992179271065856 for 8 characters). Say it's on my personal server, and at best, 100 million attempts can be made a second. This requires 89531367901961973571462 seconds for the 16 character, and 29921792 seconds for the 8 character, equivelant to just short of a year. So long as I replace my password at least that often, I'm safe.

To compare this to a passphrase, 40000 english words is equivelant to more than 2 characters, and so a four word passphrase is like an eight character password, and an eight word phrase is unbreakable.

EDIT: So long that the server uses a slow hash algorithm on the password with every attempt, and an attempt takes a second, you're brute force proof.